You should be familiar with the concepts in the following topics:

• "NFS Gateway Access Control"
• "Comparing NetWare and NFS File Security"
• "NetWare Rights and UNIX Permissions"

NFS Gateway Access Control

NetWare and UNIX use different methods for controlling access to files. Although both NetWare and UNIX have some similarities regarding directory and file security, NetWare security is more elaborate. At a basic level, both systems assign access controls to similar user types. The specifics, however, are different. The file sharing service maps these differences so that setting access controls from one system has similar meaning and effect on the other system.

Depending on the level of security and type of access control that suits your network setup, the file sharing service enables you to select from four different access control mechanisms called access control modes. If the access control mode specifies that the NFS Gateway file sharing service translate controls between NetWare and UNIX, the translation mechanism ensures that NFS security is at least equal to the limits imposed by NetWare.

The available access modes are as follows:

• IDXNFS Gateway:access control modes:NFS mode/IDXIDXNFS mode/IDXNFS Mode---controls access based solely on NFS permissions.

  When using this mode, NetWare users cannot change access control and NetWare access control modes are bypassed. The NetWare user's access to a file is determined entirely by the user's UID, GID, and the permission mode of the file.

  This mode functions as follows:

  • NetWare access controls such as rights and attributes are bypassed.
  • Access to UNIX files is determined completely by the user's UID and the UNIX permission mode of the file.
  • Modifying a file's attributes or permissions from NetWare has no effect on the file.

  Use this option to preserve UNIX security. The NetWare workstation functions exactly like a PC-NFS client.

• IDXNFS Gateway:access control modes:Gateway mode #1/IDXIDXGateway mode #1/IDXGateway Mode #1---creates trustee rights and attributes to emulate NFS permissions and creates NFS permissions to emulate NetWare trustee rights and attributes.

  When using this mode, changes from both NetWare and NFS clients propagate to the other side.

  This mode functions as follows:

  • UNIX permissions are emulated by assigning trustee rights for the owner, group, and world to all files.

  • Modifying the trustee rights of the owner, group, or world from NetWare modifies the UNIX permission mode.

  • NetWare file attributes are propagated to UNIX. For example, flagging a file as Read-Only from NetWare removes the read permission for owner, group, and others on the UNIX side.

  • UNIX permissions are propagated to NetWare. For example, executing the following command causes the file named temp to be flagged as Read-only on the NetWare side:chmod 444 temp

    This command also modifies the trustees rights of the file.

  This mode requires more overhead than the other modes because of the extensive mapping.

• IDXNFS Gateway:access control modes:Gateway mode #2/IDXIDXGateway mode #2/IDXGateway Mode #2---similar to Mode #1, but does not automatically map access control between file systems.

  When using this mode, both NetWare and NFS clients can change permissions, but the change from one side is not mapped to the other side. This is the default mode.

  This mode functions as follows:

  • NetWare attributes and rights are enforced on NetWare users but have no effect on the UNIX permission mode of a file. For example, if you flag a file as Read-only from NetWare, UNIX users can continue to modify the file.
  • UNIX attributes are always enforced, but are not propagated to NetWare. For example, if you remove the write permission from a file in UNIX, NetWare permissions and rights might indicate that the file can be modified, but requests to do so will be denied.

• IDXNFS Gateway:access control modes:NetWare mode/IDXIDXNetWare mode/IDXNetWare Mode---controls access based solely on NetWare rights and attributes.

  When using this mode, UNIX permissions are ignored.

  This mode functions as follows:

  • The NFS Gateway volume appears to DOS users as any other NetWare volume. Access to files and directories is determined solely by NetWare effective rights and file attributes.
  • All NetWare files are owned by the root user on the UNIX host. All requests from the NFS Gateway are from the root user (UID=0).
  • The volume must be exported from the NFS server granting root access to your server.
  • The NFS volume should be accessed primarily by NetWare users.

For details on the conversion of file characteristics and permissions between file systems, see "Mapping NetWare Rights and UNIX Permissions."

Comparing NetWare and NFS File Security

NetWare and NFS file and directory security differ in some respects, but both systems base the degree of security on the following:

• A user's need for and right to the information
• The sensitivity of the information

To protect file information, the system separates users into classes. Each class is only permitted necessary file access.

When an exact mapping of rights between the two systems is not possible and the access control mode specifies a conversion, the file sharing service translates the rights in favor of tighter rather than looser control. Even though the automatic translation between NetWare rights and NFS permissions honors the security of both systems, the following can occur: IDXNFS Gateway:conversion when exact mapping not possible/IDX

• A user can have rights in NetWare that are denied in NFS because a direct translation is not possible. It is better to limit permissions than grant unintended access.
• Rights added from NetWare might not add to the permissions allowed for the NFS user.

The automatic mapping of access controls has the following advantages:

• The system supervisor can control the tradeoff between security and ease of use.
• Mapping maintains each client system's level of security.
• Mapping does not impair the operation of other software.
• Mapping functions simply, and the process implements nothing new beyond the normal requirements of NetWare or UNIX. (A NetWare user or a UNIX user does not need to know anything about the other system.)

The following sections discuss the NFS and NetWare file access controls.

NFS Controls

For each of the three NFS user classes (user, group, and world), there are three access controls, called permissions. For a file, these permissions allow a user to read from, write to, and execute the file.IDXpermissions:NFS Gateway/IDXIDXNFS Gateway:permissions/IDX

For a directory, the same permissions apply. Users need read permission to use the ls command to list the files in a directory. Users need write permission to add or remove files from a directory. Users need execute permission to access the directory with the cd command or use the directory as part of a path. To access a file in a subdirectory, a user must have the proper permissions for the file and for all the directories in the path.

During installation, the software creates the NFS group world and maps it to the current OU. By default, the group world contains all the DNS objects in the current OU.

NetWare Controls

NetWare Rights Security is based on the combined effects of trustee rights and rights invoked with the Inherited Rights Mask (see the NetWare documentation for descriptions of these NetWare security terms). The actual rights a user can exercise in a directory or file depend on these combined rights, which are referred to as a user's effective rights. It is the effective rights that are of concern here, because it is the effective rights that translate between NFS and NetWare directories and files.IDXsecurity:NFS Gateway:NetWare trustee rights/IDX

The NetWare effective rights that pertain to either directories or files are summarized in the following table. See the NetWare documentation for details.IDXeffective rights:NFS Gateway/IDX

Effective rights can also be transferred from one user to another. This transfer of effective rights, called security equivalence, allows one user to have the same rights as another. Transferred effective rights are also translated between NFS and NetWare.IDXsecurity:NFS Gateway:equivalence/IDX

Besides a user's effective rights, some NetWare file attributes put additional controls on specified directories or files (refer to "Attributes" in NetWare documentation). These controls take precedence over a user's effective rights. A user with the Modify right, however, can override the file attributes.IDXsecurity:NFS Gateway:controlling with file attributes/IDX

Impact of NetWare Security on NFS

If the NFS Gateway file sharing service is set up to use an access mode that translates access controls, the file sharing service effectively honors NetWare security on all given files and directories. In doing so, the rights as seen from NFS might appear more restrictive than the rights as seen from NetWare DOS. This apparent discrepancy occurs because NFS permissions are not as comprehensive as NetWare rights, and NFS might have no way of representing a right that is present on NetWare.

Impact of NFS Security on NetWare

If the NFS Gateway file sharing service is set up to use an access mode that translates access controls, NFS access can become too restrictive. If NFS access becomes too restrictive, consider the following options:

• Relax your NFS security by using a different access control mode.
• Store data that users need to share in separate directories and files, and apply fewer restrictions.

NetWare Rights and UNIX Permissions

This section contains the following topics:

• "Permissions Guidelines"
• "Mapping NetWare Rights and UNIX Permissions"
• "Translating NetWare Rights to UNIX Permissions"

Permissions Guidelines

In general, to avoid confusion, it is best to set up permissions and rights so as not to display files to users on the other systems who cannot use the files. Specifically, when storing files that NFS users access, you can avoid problems by following two rules.

• Do not store applications in directories shared by NFS users, or make sure the application files do not have execute permission.
• Do not store data files created by applications in shared directories unless you know the files are compatible with a version of the application available to NFS users.

Mapping NetWare Rights and UNIX Permissions

When a user accesses a file on a mounted file system, the request can pass through a NetWare security check, an NFS security check, or both depending on the access mode selected. Each of these security checks function independently. If the access mode specifies security checks on both sides, the Gateway first checks the user's NetWare access rights. Then, if the Gateway accepts the user's request, the request passes to the remote NFS server, and NFS does its check. This arrangement lets the administrator on the NetWare side impose greater restrictions on access control than those set on NFS.

When the Gateway translates NetWare rights to NFS permissions or permissions to rights as dictated by the access mode, the conversion is nearly equivalent, but a direct one-to-one match is not possible. NetWare file security is more complex and powerful than NFS file security. The method of translating permissions to rights will, if necessary, adjust towards greater restriction rather than less in order to preserve the degree of NFS restrictions.

NOTE: Before NetWare file access rights can be translated to NFS file access permissions, the NetWare user must have an account on the NFS server and both accounts must be mapped together.

For example, suppose a NetWare administrator grants a Gateway user more rights than the user is permitted on the NFS file. In this case, the permissions on the NFS side do not change to allow more access. Even if the Gateway passes the user's request on to the NFS server, the NFS server would still deny access to the file.

"How NetWare Rights Translate to NFS Permissions" through "How NFS Permissions Translate to NetWare Rights" show how NetWare rights and UNIX permissions translate. These conversions take place for each of the following user categories:

• NetWare username <--> NFS owner UID (user identification)
• NetWare groupname <--> NFS GID (group identification)
• NetWare NDS group mapped to world <--> NFS world

Where more than one right or permission is shown for a given condition in the tables, those rights or permissions work in combination. For example, it is the combination of the NetWare rights of Create, Erase, and Write on a directory that translate to write permission on the NFS side.

Translating NetWare Rights to UNIX Permissions

"How NetWare Rights Translate to NFS Permissions" shows how NetWare rights translate to NFS permissions. These conversions happen when you add or delete trustees using NetWare utilities such as FILER.

NOTE: Translation occurs only when specified by the access mode.

"How NetWare Attributes Translate to NFS Permissions" shows how NetWare attributes translate to NFS permissions. These conversions happen when you modify a directory entry using NetWare utilities such as FILER and FLAG.

"How NFS Permissions Translate to NetWare Attributes" shows how NFS permissions translate to NetWare attributes.

These conversions happen when you create a directory or a file or when you reference a directory or a file for the first time.

"How NFS Permissions Translate to NetWare Rights" shows how NFS permissions translate to NetWare rights.